Add client_secret_expires_at to OAuth Applications #30317
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This allows us to support future
client_secret
expiry, whilst also advertising that clients do not currently expire automatically. This is inspired by Auth0's Open Dynamic Client Registration documentation.— OAuth 2.0 Dynamic Registration, RFC 7591, Section 3.2.1
This PR requires #30316 to be merged, since the OAuth Application vacuuming currently does not have any predictable expiration properties. So if we leave OAuth Application vacuuming in as currently existing, the value of
0
would not be correct, since the client could be vacuumed at any point in time after 1 day.This allows Application developers to prepare and be adaptive to when we may introduce client_secret expiry in the future, such that they can know when their application would expire. (Supporting this would require a database migration to add a column to the oauth_applications table for expiry).